[MIR] pappl-retrofit
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| pappl-retrofit (Ubuntu) |
Incomplete
|
Undecided
|
Till Kamppeter | ||
Bug Description
[Availability]
The package pappl-retrofit is already in Ubuntu universe.
The package pappl-retrofit builds for the architectures it is designed to work
on.
It currently builds and works for architetcures:
amd64, arm64, armhf, ppc64el, riscv64, s390x
Link to package https:/
[Rationale]
- The package pappl-retrofit is required in Ubuntu Main for two reasons,
both for the need of Printer Applications as replacement for classic
CUPS drivers for CUPS 3.x and for the CUPS Snap:
- Legacy Printer Application which maps any classic driver
installed into classic CUPS locations into an emulation of an IPP
printer. This is the way how we can accommodate any proprietary
legacy driver and so users can continue using their printer in
23.10 and later.
- libpappl-retrofit makes it easy for developers to turn any
classic CUPS driver into a Printer Application
- legacy-printer-app of apppl-retrofit is needed in Ubuntu Main in
Ubuntu 23.10, due to the CUPS Snap being used as the standard print
environment. The CUPS Snap does not support installing classic CUPS
drivers and legacy-printer-app assures that any proprietary legacy
printer drivers can be continued to be used.
The package consists of 2 parts: libpappl-retrofit and legacy-printer-app
The source package needs to get promoted to Main and the binary
package legacy-printer-app needs to get promoted to Main, and as a
dependency also libpappl-retrofit needs to get promoted to Main.
[Security]
No CVEs/security issues in this software in the past
- no `suid` or `sgid` binaries
- Daemon executable legacy-printer-app in `/usr/sbin`.
- legacy-printer-app is a daemon, a Printer Application, emulating
driverless IPP printers. For client requests it listens on an
unprivileged port.
- libpappl-retrofit is a library for developing Printer Applications,
like legacy-printer-app.
- Its purpose is to provide the basic infrastructure to create
Printer Applications, daemons which emulate IPP printers.
- Security features for daemons are not provided, responsibility is
with programs using this library.
- legacy-printer-app and daemons created with libpappl-retrofit do not
open privileged ports (ports < 1024)
- Package uses DNS-SD registration to advertise presence of Printer
Applications.
- Package does not contain extensions to security-sensitive software
(filters, scanners, plugins, UI skins, ...)
[Quality assurance - function/usage]
- libpappl-retrofit works well right after install (it is only a library)
- legacy-printer-app is a daemon auto-started after install. User sets up
printers withing legacy-printer-app by a web admin interface
(http://
the "Printers" module of G-C-C, when the planned changes are applied.
[Quality assurance - maintenance]
- The package is maintained well in Debian/Ubuntu and has not too many
and long term critical bugs open
- Ubuntu https:/
- Debian https:/
- https:/
- The package has some upstream issues which are of lower importance
- The package does not deal with exotic hardware we cannot support
[Quality assurance - testing]
- The package does not run a test at build time because the upstream
package does not contain one.
- The package runs an autopkgtest, and is currently passing on
this list of architectures as under [Availability], test log:
https:/
[Quality assurance - packaging]
- debian/watch is present and works
- debian/control defines a correct Maintainer field
`lintian --pedantic`:
W: libpappl-retrofit1: symbols-
--> Checked symbols file manually and all entries have 1.0~b2-0ubuntu1
as package version of first appearance
- No lintian overrides are present.
- This package does not rely on obsolete or about to be demoted packages.
- The package will be installed by default, but does not ask debconf
questions higher than medium (no debconf questions at all)
- Packaging and build is easy, debian/rules attached.
[UI standards]
- libpappl-retrofit is not directky end-user facing. It uses the web
interface of PAPPL and so PAPPL's translations.
- legacy-printer-app also uses PAPPL's web interface.
- No desktop files needed as legacy-printer-app runs permanently as
a system daemon, user interface is the web interface.
[Dependencies]
- No further depends or recommends dependencies that are not yet in main
[Standards compliance]
- This package correctly follows FHS and Debian Policy
[Maintenance/Owner]
- Owning Team will be the Ubuntu Printing Team (ubuntu-printing)
- Team is already subscribed to the package
- This does not use static builds
- This does not use vendored code
- This package is not rust based
- The package has been built in the archive more recently than the last
test rebuild
[Background information]
- The Package description explains the package well
- Upstream Name is pappl-retrofit
- Link to upstream project: https:/
| Changed in pappl-retrofit (Ubuntu): | |
| assignee: | nobody → Lukas Märdian (slyon) |
| Lukas Märdian (slyon) wrote | #2 |
| Changed in pappl-retrofit (Ubuntu): | |
| status: | New → Incomplete |
| assignee: | Lukas Märdian (slyon) → Till Kamppeter (till-kamppeter) |
| Steve Langasek (vorlon) wrote | #3 |
| Changed in pappl-retrofit (Ubuntu): | |
| milestone: | ubuntu-23.10-beta → none |
Review for Source Package: pappl-retrofit
[Summary]
pappl-retrofit is a wrapper around pappl and cups to turn legacy printer drivers
into driver applications, usable in the snap world and elsewhere.
The software still seems to be in its early stages, with only beta versions
released and plenty of remarks during the review.
MIR team NACK
(Sorry, this doesn't feel ready for prime-time, yet. We can revisit at a later point in time.)
This does need a security review.
List of specific binary packages to be promoted to main: legacy-printer-app, libpappl-retrofit
Specific binary packages built, but NOT to be promoted to main: None
Notes:
#0: This runs a daemon as root (without any systemd hardening) and opens a port for a web interface, therefore I'm requesting security review.
Required TODOs:
- Please explain the FTBFS in a local Mantic sbuild chroot
- Please add (non-superficial) build-time (unit tests) and autopkgtests (integration tests)
=> We're the upstream, so this would be beneficial in multiple ways.
- Please consider some security hardening/isolation for the systemd service, or give reason of why it doesn't make sense in this case (see https:/
- Provide a stable (non-beta) version, or explain the rationale for shipping beta software
Recommended TODOs:
- The package should get a team bug subscriber before being promoted [done]
- Consider improving the debian/watch file for beta versions
- Please explain the plan (if any) for packaging this in Debian
- Consider fixing some of the Lintian output listed below
- Consider improving the symbols file with some proper version (maybe a after we have a non-beta release)
- Consider fixing some of the build-time warnings listed below
- Please explain the translation situation in more detail.
How can the web-interface be reached? How will it be translated?
[Duplication]
There is no other package in main providing the same functionality.
[Dependencies]
OK:
- no other Dependencies to MIR due to this
- SRCPKG checked with `check-mir`
- all dependencies can be found in `seeded-in-ubuntu` (already in main)
- none of the (potentially auto-generated) dependencies (Depends
and Recommends) that are present after build are not in main
- no -dev/-debug/-doc packages that need exclusion
- No dependencies in main that are only superficially tested requiring
more tests now.
Problems: None
[Embedded sources and static linking]
OK:
- no embedded source present
- does not have unexpected Built-Using entries
- not a go package, no extra constraints to consider in that regard
- not a rust package, no extra constraints to consider in that regard
Problems:
- static linking/library: /usr/lib/
But just as part of the -dev package, which should be fined.
[Security]
OK:
- history of CVEs does not look concerning
- does not use webkit1,2
- does not use lib*v8 directly
- does not parse data formats (files [images, video, audio,
xml, json, asn.1], network packets, structures, ...) from
an untrusted source.
=> It's parsing some printer driver data, but those are considered trusted.
- does not process arbitrary web cont...